2023-09-14 21:07:15 +00:00
|
|
|
from nxc.helpers.misc import validate_ntlm
|
|
|
|
from nxc.nxcdb import DatabaseNavigator, print_table, print_help
|
2023-06-09 15:09:20 +00:00
|
|
|
from termcolor import colored
|
|
|
|
import functools
|
2016-12-15 07:28:00 +00:00
|
|
|
|
2023-09-23 01:10:21 +00:00
|
|
|
help_header = functools.partial(colored, color="cyan", attrs=["bold"])
|
|
|
|
help_kw = functools.partial(colored, color="green", attrs=["bold"])
|
|
|
|
|
2016-12-15 07:28:00 +00:00
|
|
|
|
2017-11-02 09:43:08 +00:00
|
|
|
class navigator(DatabaseNavigator):
|
2017-03-27 21:09:36 +00:00
|
|
|
def display_creds(self, creds):
|
2023-06-09 09:03:45 +00:00
|
|
|
data = [["CredID", "Admin On", "CredType", "Domain", "UserName", "Password"]]
|
2016-12-15 07:28:00 +00:00
|
|
|
|
2017-03-27 21:09:36 +00:00
|
|
|
for cred in creds:
|
2023-06-09 09:03:45 +00:00
|
|
|
cred_id = cred[0]
|
2017-03-27 21:09:36 +00:00
|
|
|
domain = cred[1]
|
|
|
|
username = cred[2]
|
|
|
|
password = cred[3]
|
|
|
|
credtype = cred[4]
|
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
links = self.db.get_admin_relations(user_id=cred_id)
|
|
|
|
data.append(
|
|
|
|
[
|
|
|
|
cred_id,
|
|
|
|
str(len(links)) + " Host(s)",
|
|
|
|
credtype,
|
|
|
|
domain,
|
|
|
|
username,
|
|
|
|
password,
|
|
|
|
]
|
|
|
|
)
|
|
|
|
print_table(data, title="Credentials")
|
2017-03-27 21:09:36 +00:00
|
|
|
|
|
|
|
def display_groups(self, groups):
|
2023-06-09 09:03:45 +00:00
|
|
|
data = [
|
|
|
|
[
|
|
|
|
"GroupID",
|
|
|
|
"Domain",
|
|
|
|
"Name",
|
|
|
|
"RID",
|
|
|
|
"Enumerated Members",
|
|
|
|
"AD Members",
|
|
|
|
"Last Query Time",
|
|
|
|
]
|
|
|
|
]
|
2017-03-27 21:09:36 +00:00
|
|
|
|
|
|
|
for group in groups:
|
2023-06-09 09:03:45 +00:00
|
|
|
group_id = group[0]
|
2017-03-27 21:09:36 +00:00
|
|
|
domain = group[1]
|
|
|
|
name = group[2]
|
2023-06-09 09:03:45 +00:00
|
|
|
rid = group[3]
|
|
|
|
members = len(self.db.get_group_relations(group_id=group_id))
|
|
|
|
ad_members = group[4]
|
|
|
|
last_query_time = group[5]
|
|
|
|
data.append([group_id, domain, name, rid, members, ad_members, last_query_time])
|
|
|
|
print_table(data, title="Groups")
|
|
|
|
|
|
|
|
# pull/545
|
2017-03-27 21:09:36 +00:00
|
|
|
def display_hosts(self, hosts):
|
2023-06-09 09:03:45 +00:00
|
|
|
data = [
|
|
|
|
[
|
|
|
|
"HostID",
|
|
|
|
"Admins",
|
|
|
|
"IP",
|
|
|
|
"Hostname",
|
|
|
|
"Domain",
|
|
|
|
"OS",
|
|
|
|
"SMBv1",
|
|
|
|
"Signing",
|
|
|
|
"Spooler",
|
|
|
|
"Zerologon",
|
|
|
|
"PetitPotam",
|
|
|
|
]
|
|
|
|
]
|
2017-03-27 21:09:36 +00:00
|
|
|
|
|
|
|
for host in hosts:
|
2023-06-09 09:03:45 +00:00
|
|
|
host_id = host[0]
|
2017-03-27 21:09:36 +00:00
|
|
|
ip = host[1]
|
|
|
|
hostname = host[2]
|
|
|
|
domain = host[3]
|
2023-06-09 09:03:45 +00:00
|
|
|
|
2021-01-21 10:08:06 +00:00
|
|
|
try:
|
|
|
|
os = host[4].decode()
|
2023-10-06 16:47:49 +00:00
|
|
|
except Exception:
|
2021-01-21 10:08:06 +00:00
|
|
|
os = host[4]
|
2022-06-18 21:43:09 +00:00
|
|
|
try:
|
|
|
|
smbv1 = host[6]
|
|
|
|
signing = host[7]
|
2023-06-09 09:03:45 +00:00
|
|
|
except IndexError:
|
|
|
|
smbv1 = ""
|
|
|
|
signing = ""
|
|
|
|
try:
|
|
|
|
spooler = host[8]
|
|
|
|
zerologon = host[9]
|
|
|
|
petitpotam = host[10]
|
|
|
|
except IndexError:
|
|
|
|
spooler = ""
|
|
|
|
zerologon = ""
|
|
|
|
petitpotam = ""
|
|
|
|
|
|
|
|
links = self.db.get_admin_relations(host_id=host_id)
|
|
|
|
data.append(
|
|
|
|
[
|
|
|
|
host_id,
|
|
|
|
str(len(links)) + " Cred(s)",
|
|
|
|
ip,
|
|
|
|
hostname,
|
|
|
|
domain,
|
|
|
|
os,
|
|
|
|
smbv1,
|
|
|
|
signing,
|
|
|
|
spooler,
|
|
|
|
zerologon,
|
|
|
|
petitpotam,
|
|
|
|
]
|
|
|
|
)
|
|
|
|
print_table(data, title="Hosts")
|
2020-11-15 23:42:28 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
def display_shares(self, shares):
|
|
|
|
data = [["ShareID", "host", "Name", "Remark", "Read Access", "Write Access"]]
|
2020-11-15 23:42:28 +00:00
|
|
|
|
|
|
|
for share in shares:
|
2023-06-09 09:03:45 +00:00
|
|
|
share_id = share[0]
|
|
|
|
host_id = share[1]
|
2020-11-15 23:42:28 +00:00
|
|
|
name = share[3]
|
|
|
|
remark = share[4]
|
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
users_r_access = self.db.get_users_with_share_access(host_id=host_id, share_name=name, permissions="r")
|
|
|
|
users_w_access = self.db.get_users_with_share_access(host_id=host_id, share_name=name, permissions="w")
|
|
|
|
data.append(
|
|
|
|
[
|
|
|
|
share_id,
|
|
|
|
host_id,
|
|
|
|
name,
|
|
|
|
remark,
|
|
|
|
f"{len(users_r_access)} User(s)",
|
|
|
|
f"{len(users_w_access)} Users",
|
|
|
|
]
|
2020-11-15 23:42:28 +00:00
|
|
|
)
|
2023-06-09 09:03:45 +00:00
|
|
|
print_table(data)
|
2020-11-15 23:42:28 +00:00
|
|
|
|
|
|
|
def do_shares(self, line):
|
2023-06-09 09:03:45 +00:00
|
|
|
filter_term = line.strip()
|
2020-11-15 23:42:28 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
if filter_term == "":
|
2020-11-15 23:42:28 +00:00
|
|
|
shares = self.db.get_shares()
|
|
|
|
self.display_shares(shares)
|
2023-06-09 09:03:45 +00:00
|
|
|
elif filter_term in ["r", "w", "rw"]:
|
|
|
|
shares = self.db.get_shares_by_access(line)
|
|
|
|
self.display_shares(shares)
|
2020-11-15 23:42:28 +00:00
|
|
|
else:
|
2023-06-09 09:03:45 +00:00
|
|
|
shares = self.db.get_shares(filter_term=filter_term)
|
2020-11-15 23:42:28 +00:00
|
|
|
|
|
|
|
if len(shares) > 1:
|
|
|
|
self.display_shares(shares)
|
|
|
|
elif len(shares) == 1:
|
|
|
|
share = shares[0]
|
2023-06-09 09:03:45 +00:00
|
|
|
share_id = share[0]
|
|
|
|
host_id = share[1]
|
2020-11-15 23:42:28 +00:00
|
|
|
name = share[3]
|
|
|
|
remark = share[4]
|
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
users_r_access = self.db.get_users_with_share_access(host_id=host_id, share_name=name, permissions="r")
|
|
|
|
users_w_access = self.db.get_users_with_share_access(host_id=host_id, share_name=name, permissions="w")
|
2020-11-15 23:42:28 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
data = [["ShareID", "Name", "Remark"], [share_id, name, remark]]
|
|
|
|
print_table(data, title="Share")
|
|
|
|
host = self.db.get_hosts(filter_term=host_id)[0]
|
|
|
|
data = [
|
|
|
|
["HostID", "IP", "Hostname", "Domain", "OS", "DC"],
|
|
|
|
[host[0], host[1], host[2], host[3], host[4], host[5]],
|
|
|
|
]
|
2020-11-15 23:42:28 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
print_table(data, title="Share Location")
|
2020-11-15 23:42:28 +00:00
|
|
|
|
|
|
|
if users_r_access:
|
2023-06-09 09:03:45 +00:00
|
|
|
data = [["CredID", "CredType", "Domain", "UserName", "Password"]]
|
2020-11-15 23:42:28 +00:00
|
|
|
for user in users_r_access:
|
|
|
|
userid = user[0]
|
2023-06-09 09:03:45 +00:00
|
|
|
creds = self.db.get_credentials(filter_term=userid)
|
2020-11-15 23:42:28 +00:00
|
|
|
|
|
|
|
for cred in creds:
|
2023-06-09 09:03:45 +00:00
|
|
|
data.append([cred[0], cred[4], cred[1], cred[2], cred[3]])
|
|
|
|
print_table(data, title="Users(s) with Read Access")
|
2020-11-15 23:42:28 +00:00
|
|
|
|
|
|
|
if users_w_access:
|
2023-06-09 09:03:45 +00:00
|
|
|
data = [["CredID", "CredType", "Domain", "UserName", "Password"]]
|
2020-11-15 23:42:28 +00:00
|
|
|
for user in users_w_access:
|
|
|
|
userid = user[0]
|
2023-06-09 09:03:45 +00:00
|
|
|
creds = self.db.get_credentials(filter_term=userid)
|
2020-11-15 23:42:28 +00:00
|
|
|
|
|
|
|
for cred in creds:
|
2023-06-09 09:03:45 +00:00
|
|
|
data.append([cred[0], cred[4], cred[1], cred[2], cred[3]])
|
|
|
|
print_table(data, title="Users(s) with Write Access")
|
2020-11-15 23:42:28 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
def help_shares(self):
|
|
|
|
help_string = """
|
|
|
|
shares [filter_term]
|
|
|
|
By default prints all shares
|
|
|
|
Can use a filter term to filter shares
|
|
|
|
"""
|
|
|
|
print_help(help_string)
|
2016-12-15 07:28:00 +00:00
|
|
|
|
|
|
|
def do_groups(self, line):
|
2023-06-09 09:03:45 +00:00
|
|
|
filter_term = line.strip()
|
2016-12-15 07:28:00 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
if filter_term == "":
|
2016-12-15 07:28:00 +00:00
|
|
|
groups = self.db.get_groups()
|
|
|
|
self.display_groups(groups)
|
|
|
|
else:
|
2023-06-09 09:03:45 +00:00
|
|
|
groups = self.db.get_groups(filter_term=filter_term)
|
2016-12-15 07:28:00 +00:00
|
|
|
|
|
|
|
if len(groups) > 1:
|
|
|
|
self.display_groups(groups)
|
|
|
|
elif len(groups) == 1:
|
2023-06-09 09:03:45 +00:00
|
|
|
data = [
|
|
|
|
[
|
|
|
|
"GroupID",
|
|
|
|
"Domain",
|
|
|
|
"Name",
|
|
|
|
"RID",
|
|
|
|
"Enumerated Members",
|
|
|
|
"AD Members",
|
|
|
|
"Last Query Time",
|
|
|
|
]
|
|
|
|
]
|
2016-12-15 07:28:00 +00:00
|
|
|
|
2023-10-15 17:21:14 +00:00
|
|
|
data += [[group[0], group[1], group[2], group[3], len(self.db.get_group_relations(group_id=group[0])), group[4], group[5]] for group in groups]
|
2023-06-09 09:03:45 +00:00
|
|
|
print_table(data, title="Group")
|
|
|
|
data = [
|
|
|
|
[
|
|
|
|
"CredID",
|
|
|
|
"CredType",
|
|
|
|
"Pillaged From HostID",
|
|
|
|
"Domain",
|
|
|
|
"UserName",
|
|
|
|
"Password",
|
|
|
|
]
|
|
|
|
]
|
2017-03-27 21:09:36 +00:00
|
|
|
|
|
|
|
for group in groups:
|
2023-06-09 09:03:45 +00:00
|
|
|
members = self.db.get_group_relations(group_id=group[0])
|
2017-11-02 09:43:08 +00:00
|
|
|
|
2017-03-27 21:09:36 +00:00
|
|
|
for member in members:
|
2023-06-09 09:03:45 +00:00
|
|
|
_, userid, _ = member
|
|
|
|
creds = self.db.get_credentials(filter_term=userid)
|
2017-03-27 21:09:36 +00:00
|
|
|
|
|
|
|
for cred in creds:
|
2023-06-09 09:03:45 +00:00
|
|
|
data.append([cred[0], cred[4], cred[5], cred[1], cred[2], cred[3]])
|
|
|
|
print_table(data, title="Member(s)")
|
2016-12-15 07:28:00 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
def help_groups(self):
|
|
|
|
help_string = """
|
|
|
|
groups [filter_term]
|
|
|
|
By default prints all groups
|
|
|
|
Can use a filter term to filter groups
|
|
|
|
"""
|
|
|
|
print_help(help_string)
|
2016-12-15 07:28:00 +00:00
|
|
|
|
|
|
|
def do_hosts(self, line):
|
2023-06-09 09:03:45 +00:00
|
|
|
filter_term = line.strip()
|
2016-12-15 07:28:00 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
if filter_term == "":
|
|
|
|
hosts = self.db.get_hosts()
|
2016-12-15 07:28:00 +00:00
|
|
|
self.display_hosts(hosts)
|
|
|
|
else:
|
2023-06-09 09:03:45 +00:00
|
|
|
hosts = self.db.get_hosts(filter_term=filter_term)
|
2016-12-15 07:28:00 +00:00
|
|
|
|
|
|
|
if len(hosts) > 1:
|
|
|
|
self.display_hosts(hosts)
|
|
|
|
elif len(hosts) == 1:
|
2023-06-09 09:03:45 +00:00
|
|
|
data = [
|
|
|
|
[
|
|
|
|
"HostID",
|
|
|
|
"IP",
|
|
|
|
"Hostname",
|
|
|
|
"Domain",
|
|
|
|
"OS",
|
|
|
|
"DC",
|
|
|
|
"SMBv1",
|
|
|
|
"Signing",
|
|
|
|
"Spooler",
|
|
|
|
"Zerologon",
|
|
|
|
"PetitPotam",
|
|
|
|
]
|
|
|
|
]
|
|
|
|
host_id_list = []
|
2016-12-15 07:28:00 +00:00
|
|
|
|
|
|
|
for host in hosts:
|
2023-06-09 09:03:45 +00:00
|
|
|
host_id = host[0]
|
|
|
|
host_id_list.append(host_id)
|
2016-12-15 07:28:00 +00:00
|
|
|
ip = host[1]
|
|
|
|
hostname = host[2]
|
|
|
|
domain = host[3]
|
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
try:
|
|
|
|
os = host[4].decode()
|
2023-10-06 16:47:49 +00:00
|
|
|
except Exception:
|
2023-06-09 09:03:45 +00:00
|
|
|
os = host[4]
|
|
|
|
try:
|
|
|
|
dc = host[5]
|
|
|
|
except IndexError:
|
|
|
|
dc = ""
|
|
|
|
try:
|
|
|
|
smbv1 = host[6]
|
|
|
|
signing = host[7]
|
|
|
|
except IndexError:
|
|
|
|
smbv1 = ""
|
|
|
|
signing = ""
|
|
|
|
try:
|
|
|
|
spooler = host[8]
|
|
|
|
zerologon = host[9]
|
|
|
|
petitpotam = host[10]
|
|
|
|
except IndexError:
|
|
|
|
spooler = ""
|
|
|
|
zerologon = ""
|
|
|
|
petitpotam = ""
|
|
|
|
|
|
|
|
data.append(
|
|
|
|
[
|
|
|
|
host_id,
|
|
|
|
ip,
|
|
|
|
hostname,
|
|
|
|
domain,
|
|
|
|
os,
|
|
|
|
dc,
|
|
|
|
smbv1,
|
|
|
|
signing,
|
|
|
|
spooler,
|
|
|
|
zerologon,
|
|
|
|
petitpotam,
|
|
|
|
]
|
|
|
|
)
|
|
|
|
print_table(data, title="Host")
|
|
|
|
|
|
|
|
data = [["CredID", "CredType", "Domain", "UserName", "Password"]]
|
|
|
|
for host_id in host_id_list:
|
|
|
|
links = self.db.get_admin_relations(host_id=host_id)
|
2016-12-15 07:28:00 +00:00
|
|
|
|
|
|
|
for link in links:
|
2023-06-09 09:03:45 +00:00
|
|
|
link_id, cred_id, host_id = link
|
|
|
|
creds = self.db.get_credentials(filter_term=cred_id)
|
2016-12-15 07:28:00 +00:00
|
|
|
|
|
|
|
for cred in creds:
|
2023-06-09 09:03:45 +00:00
|
|
|
data.append([cred[0], cred[4], cred[1], cred[2], cred[3]])
|
|
|
|
|
|
|
|
print_table(data, title="Credential(s) with Admin Access")
|
|
|
|
|
2023-06-09 09:47:40 +00:00
|
|
|
def do_wcc(self, line):
|
2023-09-23 01:10:21 +00:00
|
|
|
valid_columns = {"ip": "IP", "hostname": "Hostname", "check": "Check", "description": "Description", "status": "Status", "reasons": "Reasons"}
|
2023-06-09 14:28:07 +00:00
|
|
|
|
|
|
|
line = line.strip()
|
|
|
|
|
2023-09-23 01:10:21 +00:00
|
|
|
if line.lower() == "full":
|
2023-06-09 15:09:20 +00:00
|
|
|
columns_to_display = list(valid_columns.values())
|
|
|
|
else:
|
2023-09-23 01:10:21 +00:00
|
|
|
requested_columns = line.split(" ")
|
2023-10-13 15:21:20 +00:00
|
|
|
columns_to_display = [valid_columns[column.lower()] for column in requested_columns if column.lower() in valid_columns]
|
2023-06-09 14:28:07 +00:00
|
|
|
|
2023-06-09 09:47:40 +00:00
|
|
|
results = self.db.get_check_results()
|
2023-06-09 14:28:07 +00:00
|
|
|
self.display_wcc_results(results, columns_to_display)
|
2023-06-09 09:47:40 +00:00
|
|
|
|
2023-06-09 14:28:07 +00:00
|
|
|
def display_wcc_results(self, results, columns_to_display=None):
|
2023-09-23 01:10:21 +00:00
|
|
|
data = [["IP", "Hostname", "Check", "Status"]]
|
2023-06-09 14:28:07 +00:00
|
|
|
if columns_to_display:
|
|
|
|
data = [columns_to_display]
|
2023-06-09 09:47:40 +00:00
|
|
|
|
|
|
|
checks = self.db.get_checks()
|
|
|
|
checks_dict = {}
|
|
|
|
for check in checks:
|
|
|
|
check = check._asdict()
|
2023-09-23 01:10:21 +00:00
|
|
|
checks_dict[check["id"]] = check
|
2023-06-09 09:47:40 +00:00
|
|
|
|
2023-10-12 21:17:20 +00:00
|
|
|
for _result_id, host_id, check_id, secure, reasons in results:
|
2023-09-23 01:10:21 +00:00
|
|
|
status = "OK" if secure else "KO"
|
2023-06-09 09:47:40 +00:00
|
|
|
host = self.db.get_hosts(host_id)[0]._asdict()
|
|
|
|
check = checks_dict[check_id]
|
2023-06-09 14:28:07 +00:00
|
|
|
row = []
|
|
|
|
for column in data[0]:
|
2023-09-23 01:10:21 +00:00
|
|
|
if column == "IP":
|
|
|
|
row.append(host["ip"])
|
|
|
|
if column == "Hostname":
|
|
|
|
row.append(host["hostname"])
|
|
|
|
if column == "Check":
|
|
|
|
row.append(check["name"])
|
|
|
|
if column == "Description":
|
|
|
|
row.append(check["description"])
|
|
|
|
if column == "Status":
|
2023-06-09 14:28:07 +00:00
|
|
|
row.append(status)
|
2023-09-23 01:10:21 +00:00
|
|
|
if column == "Reasons":
|
2023-06-09 14:28:07 +00:00
|
|
|
row.append(reasons)
|
|
|
|
data.append(row)
|
2023-06-09 09:47:40 +00:00
|
|
|
|
|
|
|
print_table(data, title="Windows Configuration Checks")
|
|
|
|
|
|
|
|
def help_wcc(self):
|
2023-06-09 15:09:20 +00:00
|
|
|
help_string = f"""
|
|
|
|
{help_header('USAGE')}
|
|
|
|
{help_header('wcc')} [{help_kw('full')}]
|
|
|
|
{help_header('wcc')} <{help_kw('ip')}|{help_kw('hostname')}|{help_kw('check')}|{help_kw('description')}|{help_kw('status')}|{help_kw('reasons')}>...
|
2023-06-09 14:28:07 +00:00
|
|
|
|
2023-06-09 15:09:20 +00:00
|
|
|
{help_header('DESCRIPTION')}
|
|
|
|
Display Windows Configuration Checks results
|
|
|
|
|
|
|
|
{help_header('wcc')} [{help_kw('full')}]
|
|
|
|
If full is provided, display all columns. Otherwise, display IP, Hostname, Check and Status
|
|
|
|
|
|
|
|
{help_header('wcc')} <{help_kw('ip')}|{help_kw('hostname')}|{help_kw('check')}|{help_kw('description')}|{help_kw('status')}|{help_kw('reasons')}>...
|
|
|
|
Display only the requested columns (case-insensitive)
|
|
|
|
"""
|
2023-06-09 09:47:40 +00:00
|
|
|
print_help(help_string)
|
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
def help_hosts(self):
|
|
|
|
help_string = """
|
|
|
|
hosts [dc|spooler|zerologon|petitpotam|filter_term]
|
|
|
|
By default prints all hosts
|
|
|
|
Table format:
|
|
|
|
| 'HostID', 'IP', 'Hostname', 'Domain', 'OS', 'DC', 'SMBv1', 'Signing', 'Spooler', 'Zerologon', 'PetitPotam' |
|
|
|
|
Subcommands:
|
|
|
|
dc - list all domain controllers
|
|
|
|
spooler - list all hosts with Spooler service enabled
|
|
|
|
zerologon - list all hosts vulnerable to zerologon
|
|
|
|
petitpotam - list all hosts vulnerable to petitpotam
|
|
|
|
filter_term - filters hosts with filter_term
|
|
|
|
If a single host is returned (e.g. `hosts 15`, it prints the following tables:
|
|
|
|
Host | 'HostID', 'IP', 'Hostname', 'Domain', 'OS', 'DC', 'SMBv1', 'Signing', 'Spooler', 'Zerologon', 'PetitPotam' |
|
|
|
|
Credential(s) with Admin Access | 'CredID', 'CredType', 'Domain', 'UserName', 'Password' |
|
|
|
|
Otherwise, it prints the default host table from a `like` query on the `ip` and `hostname` columns
|
|
|
|
"""
|
|
|
|
print_help(help_string)
|
|
|
|
|
|
|
|
def do_dpapi(self, line):
|
|
|
|
filter_term = line.strip()
|
|
|
|
|
|
|
|
if filter_term == "":
|
|
|
|
secrets = self.db.get_dpapi_secrets()
|
|
|
|
secrets.insert(
|
|
|
|
0,
|
|
|
|
[
|
|
|
|
"ID",
|
|
|
|
"Host",
|
|
|
|
"DPAPI Type",
|
|
|
|
"Windows User",
|
|
|
|
"Username",
|
|
|
|
"Password",
|
|
|
|
"URL",
|
|
|
|
],
|
|
|
|
)
|
|
|
|
print_table(secrets, title="DPAPI Secrets")
|
|
|
|
elif filter_term.split()[0].lower() == "browser":
|
|
|
|
secrets = self.db.get_dpapi_secrets(dpapi_type="MSEDGE")
|
|
|
|
secrets += self.db.get_dpapi_secrets(dpapi_type="GOOGLE CHROME")
|
|
|
|
secrets += self.db.get_dpapi_secrets(dpapi_type="IEX")
|
|
|
|
secrets += self.db.get_dpapi_secrets(dpapi_type="FIREFOX")
|
|
|
|
if len(secrets) > 0:
|
|
|
|
secrets.insert(
|
|
|
|
0,
|
|
|
|
[
|
|
|
|
"ID",
|
|
|
|
"Host",
|
|
|
|
"DPAPI Type",
|
|
|
|
"Windows User",
|
|
|
|
"Username",
|
|
|
|
"Password",
|
|
|
|
"URL",
|
|
|
|
],
|
|
|
|
)
|
|
|
|
print_table(secrets, title="DPAPI Secrets")
|
|
|
|
elif filter_term.split()[0].lower() == "chrome":
|
|
|
|
secrets = self.db.get_dpapi_secrets(dpapi_type="GOOGLE CHROME")
|
|
|
|
if len(secrets) > 0:
|
|
|
|
secrets.insert(
|
|
|
|
0,
|
|
|
|
[
|
|
|
|
"ID",
|
|
|
|
"Host",
|
|
|
|
"DPAPI Type",
|
|
|
|
"Windows User",
|
|
|
|
"Username",
|
|
|
|
"Password",
|
|
|
|
"URL",
|
|
|
|
],
|
|
|
|
)
|
|
|
|
print_table(secrets, title="DPAPI Secrets")
|
|
|
|
elif filter_term.split()[0].lower() == "msedge":
|
|
|
|
secrets = self.db.get_dpapi_secrets(dpapi_type="MSEDGE")
|
|
|
|
if len(secrets) > 0:
|
|
|
|
secrets.insert(
|
|
|
|
0,
|
|
|
|
[
|
|
|
|
"ID",
|
|
|
|
"Host",
|
|
|
|
"DPAPI Type",
|
|
|
|
"Windows User",
|
|
|
|
"Username",
|
|
|
|
"Password",
|
|
|
|
"URL",
|
|
|
|
],
|
|
|
|
)
|
|
|
|
print_table(secrets, title="DPAPI Secrets")
|
|
|
|
elif filter_term.split()[0].lower() == "credentials":
|
|
|
|
secrets = self.db.get_dpapi_secrets(dpapi_type="CREDENTIAL")
|
|
|
|
if len(secrets) > 0:
|
|
|
|
secrets.insert(
|
|
|
|
0,
|
|
|
|
[
|
|
|
|
"ID",
|
|
|
|
"Host",
|
|
|
|
"DPAPI Type",
|
|
|
|
"Windows User",
|
|
|
|
"Username",
|
|
|
|
"Password",
|
|
|
|
"URL",
|
|
|
|
],
|
|
|
|
)
|
|
|
|
print_table(secrets, title="DPAPI Secrets")
|
|
|
|
elif filter_term.split()[0].lower() == "iex":
|
|
|
|
secrets = self.db.get_dpapi_secrets(dpapi_type="IEX")
|
|
|
|
if len(secrets) > 0:
|
|
|
|
secrets.insert(
|
|
|
|
0,
|
|
|
|
[
|
|
|
|
"ID",
|
|
|
|
"Host",
|
|
|
|
"DPAPI Type",
|
|
|
|
"Windows User",
|
|
|
|
"Username",
|
|
|
|
"Password",
|
|
|
|
"URL",
|
|
|
|
],
|
|
|
|
)
|
|
|
|
print_table(secrets, title="DPAPI Secrets")
|
|
|
|
elif filter_term.split()[0].lower() == "firefox":
|
|
|
|
secrets = self.db.get_dpapi_secrets(dpapi_type="FIREFOX")
|
|
|
|
if len(secrets) > 0:
|
|
|
|
secrets.insert(
|
|
|
|
0,
|
|
|
|
[
|
|
|
|
"ID",
|
|
|
|
"Host",
|
|
|
|
"DPAPI Type",
|
|
|
|
"Windows User",
|
|
|
|
"Username",
|
|
|
|
"Password",
|
|
|
|
"URL",
|
|
|
|
],
|
|
|
|
)
|
|
|
|
print_table(secrets, title="DPAPI Secrets")
|
|
|
|
else:
|
|
|
|
secrets = self.db.get_dpapi_secrets(filter_term=filter_term)
|
|
|
|
if len(secrets) > 0:
|
|
|
|
secrets.insert(
|
|
|
|
0,
|
|
|
|
[
|
|
|
|
"ID",
|
|
|
|
"Host",
|
|
|
|
"DPAPI Type",
|
|
|
|
"Windows User",
|
|
|
|
"Username",
|
|
|
|
"Password",
|
|
|
|
"URL",
|
|
|
|
],
|
|
|
|
)
|
|
|
|
print_table(secrets, title="DPAPI Secrets")
|
|
|
|
|
|
|
|
def help_dpapi(self):
|
|
|
|
help_string = """
|
|
|
|
dpapi [browser|chrome|msedge|credentials|iex|firefox|filter_term]
|
|
|
|
By default prints all dpapi dumped secrets
|
|
|
|
Table format:
|
|
|
|
| 'ID', 'Host', 'DPAPI Type', 'Windows User', 'Username', 'Password', 'URL' |
|
|
|
|
Subcommands:
|
|
|
|
browser - list all secrets dumped from browser
|
|
|
|
chrome - list all secrets dumped from chrome
|
|
|
|
msedge - list all secrets dumped from microsoft edge
|
|
|
|
credentials - list all secrets dumped from credential manager (user and system)
|
|
|
|
iex - list all secrets dumped from Internet Explorer
|
|
|
|
firefox - list all secrets dumped from Firefox
|
|
|
|
filter_term - filters dpapi secrets with filter_term
|
|
|
|
"""
|
|
|
|
print_help(help_string)
|
2016-12-15 07:28:00 +00:00
|
|
|
|
|
|
|
def do_creds(self, line):
|
2023-06-09 09:03:45 +00:00
|
|
|
filter_term = line.strip()
|
2016-12-15 07:28:00 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
if filter_term == "":
|
2016-12-15 07:28:00 +00:00
|
|
|
creds = self.db.get_credentials()
|
|
|
|
self.display_creds(creds)
|
2023-06-09 09:03:45 +00:00
|
|
|
elif filter_term.split()[0].lower() == "add":
|
2016-12-15 07:28:00 +00:00
|
|
|
# add format: "domain username password <notes> <credType> <sid>
|
2023-06-09 09:03:45 +00:00
|
|
|
args = filter_term.split()[1:]
|
2016-12-15 07:28:00 +00:00
|
|
|
|
|
|
|
if len(args) == 3:
|
|
|
|
domain, username, password = args
|
|
|
|
if validate_ntlm(password):
|
|
|
|
self.db.add_credential("hash", domain, username, password)
|
|
|
|
else:
|
|
|
|
self.db.add_credential("plaintext", domain, username, password)
|
|
|
|
else:
|
2019-11-12 21:39:26 +00:00
|
|
|
print("[!] Format is 'add domain username password")
|
2016-12-15 07:28:00 +00:00
|
|
|
return
|
2023-06-09 09:03:45 +00:00
|
|
|
elif filter_term.split()[0].lower() == "remove":
|
|
|
|
args = filter_term.split()[1:]
|
2017-11-02 09:43:08 +00:00
|
|
|
if len(args) != 1:
|
2019-11-12 21:39:26 +00:00
|
|
|
print("[!] Format is 'remove <credID>'")
|
2016-12-15 07:28:00 +00:00
|
|
|
return
|
|
|
|
else:
|
|
|
|
self.db.remove_credentials(args)
|
2023-06-09 09:03:45 +00:00
|
|
|
self.db.remove_admin_relation(user_ids=args)
|
|
|
|
elif filter_term.split()[0].lower() == "plaintext":
|
|
|
|
creds = self.db.get_credentials(cred_type="plaintext")
|
2016-12-15 07:28:00 +00:00
|
|
|
self.display_creds(creds)
|
2023-06-09 09:03:45 +00:00
|
|
|
elif filter_term.split()[0].lower() == "hash":
|
|
|
|
creds = self.db.get_credentials(cred_type="hash")
|
2016-12-15 07:28:00 +00:00
|
|
|
self.display_creds(creds)
|
|
|
|
else:
|
2023-06-09 09:03:45 +00:00
|
|
|
creds = self.db.get_credentials(filter_term=filter_term)
|
2017-11-02 09:43:08 +00:00
|
|
|
if len(creds) != 1:
|
2017-04-07 04:34:30 +00:00
|
|
|
self.display_creds(creds)
|
|
|
|
elif len(creds) == 1:
|
2023-06-09 09:03:45 +00:00
|
|
|
data = [
|
|
|
|
[
|
|
|
|
"CredID",
|
|
|
|
"CredType",
|
|
|
|
"Pillaged From HostID",
|
|
|
|
"Domain",
|
|
|
|
"UserName",
|
|
|
|
"Password",
|
|
|
|
]
|
|
|
|
]
|
|
|
|
cred_id_list = []
|
2017-04-07 04:34:30 +00:00
|
|
|
|
|
|
|
for cred in creds:
|
2023-06-09 09:03:45 +00:00
|
|
|
cred_id_list.append(cred[0])
|
|
|
|
data.append([cred[0], cred[4], cred[5], cred[1], cred[2], cred[3]])
|
2017-04-07 04:34:30 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
print_table(data, title="Credential(s)")
|
2017-04-07 04:34:30 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
data = [["GroupID", "Domain", "Name"]]
|
|
|
|
for cred_id in cred_id_list:
|
|
|
|
links = self.db.get_group_relations(user_id=cred_id)
|
2017-03-27 21:09:36 +00:00
|
|
|
|
2017-04-07 04:34:30 +00:00
|
|
|
for link in links:
|
2023-06-09 09:03:45 +00:00
|
|
|
link_id, user_id, group_id = link
|
|
|
|
groups = self.db.get_groups(group_id)
|
2017-03-27 21:09:36 +00:00
|
|
|
|
2017-04-07 04:34:30 +00:00
|
|
|
for group in groups:
|
2023-06-09 09:03:45 +00:00
|
|
|
group_id = group[0]
|
2017-11-02 09:43:08 +00:00
|
|
|
domain = group[1]
|
|
|
|
name = group[2]
|
2023-06-09 09:03:45 +00:00
|
|
|
data.append([group_id, domain, name])
|
2017-03-27 21:09:36 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
print_table(data, title="Member of Group(s)")
|
2016-12-15 07:28:00 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
data = [["HostID", "IP", "Hostname", "Domain", "OS"]]
|
|
|
|
for cred_id in cred_id_list:
|
|
|
|
links = self.db.get_admin_relations(user_id=cred_id)
|
2016-12-15 07:28:00 +00:00
|
|
|
|
2017-04-07 04:34:30 +00:00
|
|
|
for link in links:
|
2023-06-09 09:03:45 +00:00
|
|
|
link_id, cred_id, host_id = link
|
|
|
|
hosts = self.db.get_hosts(host_id)
|
2017-04-07 04:34:30 +00:00
|
|
|
|
|
|
|
for host in hosts:
|
2023-06-09 09:03:45 +00:00
|
|
|
data.append([host[0], host[1], host[2], host[3], host[4]])
|
|
|
|
|
|
|
|
print_table(data, title="Admin Access to Host(s)")
|
|
|
|
|
|
|
|
def help_creds(self):
|
|
|
|
help_string = """
|
|
|
|
creds [add|remove|plaintext|hash|filter_term]
|
|
|
|
By default prints all creds
|
|
|
|
Table format:
|
|
|
|
| 'CredID', 'Admin On', 'CredType', 'Domain', 'UserName', 'Password' |
|
|
|
|
Subcommands:
|
|
|
|
add - format: "add domain username password <notes> <credType> <sid>"
|
|
|
|
remove - format: "remove <credID>"
|
|
|
|
plaintext - prints plaintext creds
|
|
|
|
hash - prints hashed creds
|
|
|
|
filter_term - filters creds with filter_term
|
|
|
|
If a single credential is returned (e.g. `creds 15`, it prints the following tables:
|
|
|
|
Credential(s) | 'CredID', 'CredType', 'Pillaged From HostID', 'Domain', 'UserName', 'Password' |
|
|
|
|
Member of Group(s) | 'GroupID', 'Domain', 'Name' |
|
|
|
|
Admin Access to Host(s) | 'HostID', 'IP', 'Hostname', 'Domain', 'OS'
|
|
|
|
Otherwise, it prints the default credential table from a `like` query on the `username` column
|
|
|
|
"""
|
|
|
|
print_help(help_string)
|
|
|
|
|
|
|
|
def do_clear_database(self, line):
|
2023-10-13 15:23:44 +00:00
|
|
|
if input("This will destroy all data in the current database, are you SURE you want to run this? (y/n): ") == "y":
|
2023-06-09 09:03:45 +00:00
|
|
|
self.db.clear_database()
|
|
|
|
|
|
|
|
def help_clear_database(self):
|
|
|
|
help_string = """
|
|
|
|
clear_database
|
|
|
|
THIS COMPLETELY DESTROYS ALL DATA IN THE CURRENTLY CONNECTED DATABASE
|
|
|
|
YOU CANNOT UNDO THIS COMMAND
|
|
|
|
"""
|
|
|
|
print_help(help_string)
|
|
|
|
|
|
|
|
def complete_hosts(self, text, line):
|
2023-10-12 19:13:16 +00:00
|
|
|
"""Tab-complete 'hosts' commands."""
|
2023-06-09 09:03:45 +00:00
|
|
|
commands = ("add", "remove", "dc")
|
|
|
|
|
|
|
|
mline = line.partition(" ")[2]
|
2017-03-27 21:09:36 +00:00
|
|
|
offs = len(mline) - len(text)
|
|
|
|
return [s[offs:] for s in commands if s.startswith(mline)]
|
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
def complete_creds(self, text, line):
|
2023-10-12 19:13:16 +00:00
|
|
|
"""Tab-complete 'creds' commands."""
|
2023-06-09 09:03:45 +00:00
|
|
|
commands = ("add", "remove", "hash", "plaintext")
|
2017-05-08 03:16:18 +00:00
|
|
|
|
2023-06-09 09:03:45 +00:00
|
|
|
mline = line.partition(" ")[2]
|
2017-05-08 03:16:18 +00:00
|
|
|
offs = len(mline) - len(text)
|
|
|
|
return [s[offs:] for s in commands if s.startswith(mline)]
|